Allow containerized undercloud deploy with SELinux

When SELinux is enforcing, use the docker volume mount flag
:z for the docker-puppet tool's bind-mounted volumes in RW mode.
Note, if a volume mount with a Z, then the label will be specific
to the container, and not be able to be shared between containers.

Volumes from /etc/pki mounted RO do not require the context changes.
For those RO volumes that do require it, use :ro,z.

For deploy-steps, make sure ansible file resources in /var/lib/
are enforced the same SELinux context attributes what docker's :z
provides.

Partial-bug: #1682179
Related-bug: #1723003

Change-Id: Idc0caa49573bd88e8410d3d4217fd39e9aabf8f2
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>

common/deploy-steps.j2

@@ -219,12 +219,12 @@ resources:
                     -
                       # Write the manifest for baremetal puppet configuration
                       - name: Create /var/lib/tripleo-config directory
-                        file: path=/var/lib/tripleo-config state=directory
+                        file: path=/var/lib/tripleo-config state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
                       - name: Write the puppet step_config manifest
                         copy: content="{{ '{{' }}puppet_step_config{{ '}}' }}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes mode=0600
                       # this creates a JSON config file for our docker-puppet.py script
                       - name: Create /var/lib/docker-puppet
-                        file: path=/var/lib/docker-puppet state=directory
+                        file: path=/var/lib/docker-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
                       - name: Write docker-puppet-tasks json files
                         copy: content="{{ '{{' }}puppet_config | to_json{{ '}}' }}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes mode=0600
                       # FIXME: can we move docker-puppet somewhere so it's installed via a package?
@@ -241,7 +241,7 @@ resources:
                         copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{ '{{' }}item.key{{ '}}' }}.json" force=yes mode=0600
                         with_dict: "{{ '{{' }}docker_startup_configs{{ '}}' }}"
                       - name: Create /var/lib/kolla/config_files directory
-                        file: path=/var/lib/kolla/config_files state=directory
+                        file: path=/var/lib/kolla/config_files state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
                       - name: Write kolla config json files
                         copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="{{ '{{' }}item.key{{ '}}' }}" force=yes mode=0600
                         with_dict: "{{ '{{' }}kolla_config{{ '}}' }}"

docker/docker-puppet.py

@@ -273,10 +273,10 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
                 '--env', 'HOSTNAME=%s' % short_hostname(),
                 '--env', 'NO_ARCHIVE=%s' % os.environ.get('NO_ARCHIVE', ''),
                 '--env', 'STEP=%s' % os.environ.get('STEP', '6'),
-                '--volume', '%s:/etc/config.pp:ro' % tmp_man.name,
+                '--volume', '%s:/etc/config.pp:ro,z' % tmp_man.name,
-                '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro',
+                '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro,z',
-                '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
+                '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro,z',
-                '--volume', '%s:/var/lib/config-data/:rw' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'),
+                '--volume', '%s:/var/lib/config-data/:z' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'),
                 '--volume', 'tripleo_logs:/var/log/tripleo/',
                 # Syslog socket for puppet logs
                 '--volume', '/dev/log:/dev/log',
@@ -286,7 +286,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
                 '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro',
                 '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro',
                 # script injection
-                '--volume', '%s:%s:rw' % (sh_script, sh_script) ]
+                '--volume', '%s:%s:z' % (sh_script, sh_script) ]
 
         for volume in volumes:
             if volume:

releasenotes/notes/containers-selinux-context-13b720cc1d5ec6f2.yaml

@@ -0,0 +1,16 @@
+---
+upgrade: &notes
+  - |
+    The configuration management related directories managed by the
+    tripleo deployment tools and bind-mounted as docker volumes now
+    using the `:z` flag, which is a docker's equivalent for
+    `chcon -Rt svirt_sandbox_file_t -l s0`. This makes those
+    directories available for all containers on the host, in the
+    shared mode: `/var/lib/tripleo-config`, `/var/lib/docker-puppet`,
+    `/var/lib/kolla/config`, `/etc/puppet`,
+    `/usr/share/openstack-puppet/modules/`, `/var/lib/config-data`.
+security: *notes
+fixes:
+  - |
+    Allow containerized services to be executed on hosts with SELinux
+    in the enforcing mode.